Abstract
We compare the method of Weil descent for solving the ECDLP, over extensions fields of composite degree in characteristic two, against the standard method of parallelised Pollard rho. We give details of a theoretical and practical comparison and then use this to analyse the difficulty of actually solving the ECDLP for curves of the size needed in practical cryptographic systems. We show that composite degree extensions of degree divisible by four should be avoided. We also examine the elliptic curves proposed in the Oakley key determination protocol and show that with current technology they remain secure.
Keywords
- Elliptic Curve
- Elliptic Curf
- Hyperelliptic Curve
- Discrete Logarithm Problem
- Elliptic Curve Discrete Logarithm Problem
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
IETF. The Oakley Key Determination Protocol. IETF RFC 2412, Nov 1998.
NIST. FIPS PUB 186-2: DIGITAL SIGNATURE STANDARD (DSS). National Institute for Standards and Technology, 2000.
SECG. SEC 2: Recommended Elliptic Curve Domain Parameters. Standards for Efficient Cryptography Group, 1999.
I.F. Blake, G. Seroussi and N.P. Smart. Elliptic Curves in Cryptography. Cambridge University Press, 1999.
G. Frey. How to disguise an elliptic curve. Talk at Waterloo workshop on the ECDLP, 1998. http://cacr.math.uwaterloo.ca/conferences/1998/ecc98/slides.html
S.D. Galbraith and N.P. Smart. A cryptographic application of Weil descent. Cryptography and Coding,7th IMA Conference, Springer-Verlag, LNCS 1746, 191–200, 1999. The full version of the paper is HP Labs Technical Report,HPL-1999-70.
P. Gaudry. An algorithm for solving the discrete logarithm problem on hyperelliptic curves. In Advances in Cryptology-EUROCRYPT 2000, Springer-Verlag LNCS 1807, 19–34, 2000.
P. Gaudry, F. Hess and N.P. Smart. Constructive and destructive facets of Weil descent on elliptic curves. To appear Journal Cryptology.
N. Koblitz. Elliptic curve cryptosystems. Math. Comp., 48, 203–209, 1987.
N. Koblitz. Hyperelliptic cryptosystems. J. Crypto., 1, 139–150, 1989.
A. Menezes and M. Qu. Analysis of the Weil Descent Attack of Gaudry, Hess and Smart. To appear Proceedings RSA 2001, 2001.
V. Miller. Use of elliptic curves in cryptography. In Advances in Cryptology, CRYPTO-'85, Springer LNCS 218, 47–426, 1986.
P.C. van Oorschot and M.J. Wiener. Parallel collision search with cryptanalytic applications. J. Crypto., 12, 1–28, 1999.
S. Paulus. An algorithm of sub-exponential type computing the class group of quadratic orders over principal ideal domains. In ANTS-2: Algorithmic Number Theory, Springer-Verlag, LNCS 1122, 243–257, 1996.
S. Paulus and A. Stein. Comparing real and imaginary arithmetics for divisor class groups of hyperelliptic curves. In ANTS-3: Algorithmic Number Theory, Springer-Verlag, LNCS 1423, 576–591, 1998.
J.M. Pollard. Monte Carlo methods for index computation (mod p). Math. Comp., 32, 918–924, 1978.
J. Teitelbaum. Euclid’s algorithm and the Lanczos method over finite fields. Math. Comp., 67, 1665–1678, 1998.
D. Weber and T. Denny. The solution of McCurley’s discrete log challenge. In Advances in Cryptology-CRYPTO '98, Springer-Verlag LNCS 1462, 458–471, 1998.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2001 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Smart, N.P. (2001). How Secure Are Elliptic Curves over Composite Extension Fields?. In: Pfitzmann, B. (eds) Advances in Cryptology — EUROCRYPT 2001. EUROCRYPT 2001. Lecture Notes in Computer Science, vol 2045. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-44987-6_3
Download citation
DOI: https://doi.org/10.1007/3-540-44987-6_3
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-42070-5
Online ISBN: 978-3-540-44987-4
eBook Packages: Springer Book Archive